CRMO vs. CRO: Who Does What?

By: Fran Howarth| - Leave a comment


The purpose of a chief risk management officer (CRMO) is to identify and analyze events that pose a threat to the organization. A recent AICPA survey found that in 2016, the percentage of organizations that employ CRMOs jumped 10 points to 42 percent. Part of the reason for this growth is the increase in threats from internal, external, man-made and natural sources.

The CRMO Empowers Resiliency

This rise of increasingly complex risks has led many organizations to shift from a reactive stance solely aimed at reducing risks to a proactive position that effectively detects and responds to threats. With this shift comes a growing emphasis on incident response and disaster recovery, both of which require careful planning.

The resiliency achieved from detecting risks and quickly and efficiently responding to incidents enhances enterprise stability, which in turn fosters growth. However, a recent report conducted by the Ponemon Institute notes that there are still barriers to overcome to achieve resiliency. According to the study, 66 percent of enterprises cited insufficient planning and preparedness as their main roadblock in 2016, with increased complexity of IT processes and a lack of effective incident response plans close behind.

The Rise of the Chief Resiliency Officer

Organizations’ desire to achieve greater resiliency is resulting in the the rise of the chief resiliency officer (CRO). This position has gained legitimacy in public institutions, driven by the Rockefeller Foundation’s 100 Resilient Cities program, which equips cities around the world with the tools they need to handle the physical, social and economic challenges they face. The program notes that the CRO plays a strategic role in decision-making to stay ahead of future problems while developing disaster and crisis management plans. The CRO must work closely with other key executives, including the CRMO, who will help identify risks to prepare for.

According to PwC, the role of CRO may be taken up by the chief compliance officer (CCO) in many organizations by 2025. This position will be more involved in strategy than it is today. CCOs will focus their efforts on strategic risks and how they might impact the organization’s resiliency and growth. They’ll deploy technology and metrics to identify potential problems and mitigate them at the earliest opportunity. To achieve their goals, CCOs must ensure that members of the compliance team work closely with their colleagues in crisis management, risk management and internal auditing.

PwC notes that the whole purpose of the CCO, to achieve increased resiliency and enablement, is perfectly aligned with that of the CRO. For simplicity’s sake, maybe businesses should just stick with this one title. Either way, the CRMO role isn’t going away any time soon, and the newer role of CRO will enable a more proactive response to identified risks.

Topics: , , ,


About The Author

Fran Howarth

Freelance Writer

Fran Howarth is an industry analyst and writer specializing in cybersecurity. She has worked within the security technology sector for more than 25 years in an advisory capacity as an analyst, consultant and writer. Fran focuses on the business needs for security technologies, with a focus on emerging technology sectors. Current areas of focus include cloud security, data security, identity and access management, network and endpoint security, security intelligence and analytics and security governance and regulations. Fran can be reached at

Articles by Fran Howarth
See All Posts